www.gentoo.org/proj/en/keychain/index.xml
OpenSSH as a secure, encrypted replacemen t for the venerable telnet and rsh commands. One of OpenSSH's (and the c ommercial SSH2's) intriguing features is its ability to authenticate use rs using the RSA and DSA authentication protocols, which are based upon a pair of complementary numerical "keys". And one of the main appeals of RSA and DSA authentication is the promise of being able to establish co nnections to remote systems without supplying a password. The keychain s cript makes handling RSA and DSA keys both convenient and secure. It act s as a front-end to ssh-agent, allowing you to easily have one long-runn ing ssh-agent process per system, rather than per login session. This dr amatically reduces the number of times you need to enter your passphrase from once per new login session to once every time your local machine i s rebooted.
second article shows you how to use keychain t o set up secure, passwordless ssh access in an extremely convenient way. keychain also provides a clean, secure way for cron jobs to take advant age of RSA/DSA keys without having to use insecure unencrypted private k eys.
Solaris using whatever va riant of Bourne shell you have available. keychain detects a long-running ssh-agent proces s that already holds drobbins' private keys and configures the shell env ironment appropriately. Because keychain "hooks in" to an existing ssh-a gent process, drobbins gains access to his keys without typing in his pa ssphrases, even though he just opened a brand new login session. He can now establish secure passwordless connections with any host configured t o recognize these keys. That's the only time y ou really need to reinitialize the long-running ssh-agent process.
it has been broken since the changes in version 242 Now we use OSTYPE (bash) or uname to determine the system type and call ps appropriately. Fix minor issues in the test for existing gpg keys wrt DISPLAY * keychain 242 (29 Sep 2004) 29 Sep 2004; it was broken since 240 Change default --attempts to 1 since the progs ask multiple times anyway. support Sun SSH, which is really OpenSSH in disguise and a few critical outputs changed. Thanks to Nathan Bardsley for lots of help debugging on Solaris 9 15 Sep 2004; Fix pod2man output so it formats properly on SGI systems. Fix bug 26970 with first pass at gpg-agent support Fix Debian bug 269722;
in automatically so that the version can be set appropriately. ignore defunct processes in ps output * keychain 233 (30 Jun 2004) 30 Jun 2004; escape the backticks in --help output Fix bug reported by Herbie Ong in email; set pidf, cshpidf and lockf variables after parsing command-line to honor --dir setting Fix bug reported by Stephan Stahl in email; make spaces in filenames work throughout keychain, even in pure Bourne shell Fix operation on HP-UX with older OpenSSH by interpreting output of ssh-add as well as the error status * keychain 232 (16 Jun 2004) 16 Jun 2004; Fix bug 53837 (keychain needs ssh-askpass) by unsetting SSH_ASKPASS when --nogui is specified * keychain 231 (03 Jun 2004) 03 Jun 2004; Fix bug 52874: problems when the user is running csh * keychain 230 (14 May 2004) 14 May 2004; Rewrite the locking code to avoid procmail * keychain 222 (03 May 2004) 03 May 2004; Call loadagent prior to generating HOSTNAME-csh file so that variables are set.
sh-agent/ for the sake of Solaris, which cuts off ps -u output at 8 characters. Thanks to Clay England for reporting the problem and testing the fix. Rewrote most of the code, organized into functions, fixed speed issues involving ps, fixed compatibility issues for various UNIXes, hopefully didn't introduce too many bugs. This version has a --quick option (for me) and a --timeout option (for carpaski). Also added a Makefile and converted the man-page to pod for easier editing. Note that the pod is sucked into keychain and colorized when you run make. Added keychain man page, fixed bugs with displaying colors for keychain --help. it was being caused by "trap - foo" rather than "tail +2 -". to enable ssh-askpass, keychain now requires that the ssh_askpass var be set to point to your askpass program. org>: "If you add < /dev/null when adding the missingkeys via "ssh-add ${missingkeys}" (at line 454 of version 20) so that it reads: "ssh-add ${missingkeys} < /dev/null" then users can use program like x11-ssh-askpass in xfree to type in their passphrase. It then still works for users on shell, depending if $DISPLAY is set." fr>: Now perform help early on to avoid unnecessary processing. keychain directory (use like this: "keychain --dir /var/foo") 17 Aug 2002; net>: Martial also suggested moving help processing to earlier in the script. keychain/ directory, which makes sense particularly for NFS users so I integrated the concept into the code. com>: patch so that lockfile gets removed even if --noask is specified. de>: Replaced an awk dependency with a shell construct for improved performance. ru>: I (Daniel Robbins) solved problems reported by Marcus and Dmitry (mis-parsed command line issues) by following Dmitry's good suggestion of performing argument parsing all at once at the top of the script. integrated Cygwin support into the main keychain script; improved Cygwin support by setting "trap" appropriately. It may be time to follow this pattern and start building separate, optimized scripts for each platform so they don't get too sluggish. com) Added a "--local" option for removing the ${HOSTNAME} from the various files that keychain creates. org) Using the Bourne shell "type" builtin rather than using the external "which" command. Should make things a lot more robust and slightly faster. A one-line fix (test the error condition) has been applied. If you stop making progress providing valid passphrases, it's three strikes and you're out. this patch causes keychain to look for the corresponding public key if the private key doesn't work. ch) Frederic suggested using procmail's lockfile to serialize the execution of critical parts of keychain, thus avoiding multiple ssh-agent processes being started if you happen to have multiple xterms open automatically when you log in. Initially, I didn't think I could add this, since systems may not have the lockfile command; however, keychain will now auto-detect whether lockfile is installed; if it is, keychain will automatically use it, thus preventing multiple ssh-agent processes from being spawned. net): --nocolor test is no longer inside the test for whether "echo -e" works. According to Raymond, this works optimally on his Solaris box. SIGTERM should be sufficient and will allow ssh-agent to clean up after itself (this reverses a previously-applied patch). no): Added argument "--quiet | -q" to make the program less intrusive to the user; with it, only error and interactive messages will appear. no): Changed the format of some arguments to bring them more in line with common *nix programs: added "-h" as alias for "--help"; com): $pidf to "$pidf" fixes to allow keychain to work with paths that include spaces (for Darwin and MacOS X in particular). net): Small patch to convert "echo -n -e" to "echo -e "\c"" for FreeBSD compatibility. compatibility, signal handling, cleanup fixes 21 Sep 2001;
sh-agent" (zsh fix) *keychain 14 (20 Sep 2001) 20 Sep 2001; com): "touch $foo" to ">$foo" optimization and other "don't fork" fixes. Converted ${foo#--} to a case statement for Solaris sh compatibility. This should give us Solaris and IRIX (sysV) compatibility without breaking BSD.
We also now kill all our existing ssh-agent processes before starting a new one. pl): Very nice NFS fixes, colorization fixes, tcsh redirect -> grep -v fix. fi): rm -f $pidf after stopping ssh-agent fix *keychain 12 09 Sep 2001; com): "pidof" changed to "/sbin/pidof", since it's probably not in $PATH 06 Sep 2001;
Aron Griffis Current Maintainer line Summary: This page contains information about Keychain, an OpenSSH and co mmercial SSH2-compatible RSA/DSA key management application.
php|architect php|architect is the monthly magazine for PHP professionals, available wo rldwide in print and electronic format. A percentage of all the sales wi ll be donated back i...
|